TY - GEN
T1 - A Hitchhiker's Guide to White-Box Neural Network Watermarking Robustness
AU - De Sousa Trias, Carl
AU - Mitrea, Mihai
AU - Tartaglione, Enzo
AU - Fiandrotti, Attilio
AU - Cagnazzo, Marco
AU - Chaudhuri, Sumanta
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - The present study deals with white-box Neural Network (NN) watermarking and focuses on the robustness property. The first contribution consists of formalizing neuron permutation as a geometric attack, thus demonstrating the very existence of this class of attacks for NN watermarking. The second contribution consists in devising and demonstrating the effectiveness of the corresponding counter-attack. As a side result, the possibility of extending NN white-box watermarking scope beyond image classification is brought to light. The experimental study considers three state-of-the-art methods, four NN models, three tasks (image classification, segmentation, and video coding), and five types of attacks. We underline that none of the existing methods is robust against the geometric attack, and using the counter-attack advanced in this paper effectively ensures the robustness.
AB - The present study deals with white-box Neural Network (NN) watermarking and focuses on the robustness property. The first contribution consists of formalizing neuron permutation as a geometric attack, thus demonstrating the very existence of this class of attacks for NN watermarking. The second contribution consists in devising and demonstrating the effectiveness of the corresponding counter-attack. As a side result, the possibility of extending NN white-box watermarking scope beyond image classification is brought to light. The experimental study considers three state-of-the-art methods, four NN models, three tasks (image classification, segmentation, and video coding), and five types of attacks. We underline that none of the existing methods is robust against the geometric attack, and using the counter-attack advanced in this paper effectively ensures the robustness.
KW - counter-attack
KW - geometric attacks
KW - neural network
KW - robustness
KW - watermarking
KW - white-box
UR - https://www.scopus.com/pages/publications/85179508241
U2 - 10.1109/EUVIP58404.2023.10323067
DO - 10.1109/EUVIP58404.2023.10323067
M3 - Conference contribution
AN - SCOPUS:85179508241
T3 - Proceedings - European Workshop on Visual Information Processing, EUVIP
BT - 2023 11th European Workshop on Visual Information Processing, EUVIP 2023 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 11th European Workshop on Visual Information Processing, EUVIP 2023
Y2 - 11 September 2023 through 14 September 2023
ER -